
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-22-2018 09:46 AM - edited 02-21-2020 08:16 AM
Hi all,
Is it possible to change the interface at which a FTD sources LDAP queries?
I am trying to use a LDAP server which is only reachable over a S2S VPN to the main office from the remote branches, and it does not seem to work. Some remote branches have a local LDAP server which works fine when authenticating anyconnect users.
This is the topology:
Alex
Solved! Go to Solution.
- Labels:
-
Firepower Threat Defense (FTD)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2018 07:59 AM
That's a good question and one I hadn't considered before.
I checked a couple of my systems and it doesn't appear to be configurable. From what I can see, your FTD device will originate the LDAP query from the egress interface chosen from the routing table. I can see how that would break authentication in the use case you mentioned.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2018 07:59 AM
That's a good question and one I hadn't considered before.
I checked a couple of my systems and it doesn't appear to be configurable. From what I can see, your FTD device will originate the LDAP query from the egress interface chosen from the routing table. I can see how that would break authentication in the use case you mentioned.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2018 10:16 PM
Hi,
We solved it by having a local RODC at the remote site. Some of my colleagues did think that it could have been solved by using FlexConfig, but that it was not really an optimal solution.
Br
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 07:03 PM
IMO, Flexconfig will not fix this. This is the same behavior as the ASA. The ASA always sources the LDAP query from the egress interface based on routing as Marvin mentioned in an earlier post. FTD should have inherited the same behavior. What you can do though is add an addition proxy (crypto ACL) between your FTD outside interface and remote network. This way, the traffic between your FTD outside interface and the LDAP server will be encrypted through L2L tunnel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 04:21 PM
I dont believe this is a valid solution.There is an enhancement that is fixed in 6.2.3 to allow RADIUS and LDAP to change interface through GUI. Before 6.2.3 you can use flex configs as shown in the enhancement request:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd22080/?reffering_site=dumpcr
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2021 06:07 AM
At the risk of bumping an old topic, can you clarify what setting needs to be changed in order to override the default usage of mgmt0 for sourcing ldap queries for external authentication ?
